The subject line was three words: "Past due invoice." The sender name matched a known vendor contact. SPF passed. DKIM passed. DMARC passed. And the entire purpose of the email was to reroute a real payment to an attacker-controlled bank account.
In April 2026, IRONSCALES detected a Business Email Compromise (BEC) campaign targeting a mid-size technology services firm. The attack did not rely on malware, credential harvesting links, or even a convincing email body. It relied on one thing: the recipient already expected the invoice.
BEC invoice diversion remains the most expensive category of cybercrime in the United States. The FBI IC3 2024 Annual Report documented $2.9 billion in BEC losses, and payment diversion schemes accounted for the majority. This attack illustrates exactly why.
The email arrived from stan@berteloot[.]org with the display name of a vendor contact the recipient had corresponded with before. The subject line ("Past due invoice.") was unremarkable. There were no urgent threats, no countdown timers, no "your account will be suspended" language. Just a routine nudge about an overdue bill.
The body reinforced the pretext with minimal text and a professional tone. The attacker tagged the message with a "BEC Payment Details" classification, a label that suggests familiarity with how internal email systems categorize financial communications.
What the recipient would not have noticed: the Reply-To address pointed to mail@ilyff[.]com, a domain registered in February 2026. If the recipient hit reply, the response would never reach the legitimate vendor. It would land in the attacker's inbox, where the next step would be a politely worded request to update the payment destination to invoice@billingsdepts[.]info.
That is the entire attack. No links to click. No attachments to open. Just a conversation designed to end with a wire transfer to the wrong account.
The message was delivered through SendGrid (IP 159[.]183[.]224[.]102), one of the largest transactional email platforms in the world. SendGrid handles authentication on behalf of its customers, which means the SPF record for berteloot[.]org included SendGrid's infrastructure, and the DKIM signature validated correctly against SendGrid's signing keys.
DMARC? Pass. Microsoft's Composite Authentication (compauth)? Pass. The email was, from a protocol standpoint, indistinguishable from a legitimate business communication.
This is the fundamental limitation of authentication-based detection. SPF, DKIM, and DMARC verify that the sending infrastructure is authorized. They do not verify that the person controlling the sending infrastructure has honest intentions. According to the Verizon 2024 Data Breach Investigations Report, pretexting (the social engineering technique behind BEC) has doubled in frequency since 2022, and the median wire transfer loss per incident exceeds $50,000.
See Your Risk: Calculate how many threats your SEG is missing
The relay headers reveal a deliberate operational setup. The message originated from SendGrid's outbound pool at 159[.]183[.]224[.]102, passed through standard MX routing, and arrived with clean header chains. The attacker also configured VERP (Variable Envelope Return Path) bounce tracking, encoding recipient-specific data in the return path so that delivery success could be confirmed on a per-mailbox basis.
VERP is a legitimate email operations feature used by marketing platforms and transactional senders. In this context, it served as reconnaissance: the attacker could confirm which of the three targeted mailboxes accepted delivery and which bounced. That intelligence feeds the next campaign.
The Reply-To domain ilyff[.]com and the payment destination domain billingsdepts[.]info share a common pattern. Both were registered recently. Both use generic naming that could plausibly represent a billing department or financial services entity. Neither had any web presence, email history, or DNS records beyond the minimum required for email delivery. The Microsoft Digital Defense Report 2024 highlights that BEC actors increasingly register purpose-built domains that mimic financial terminology, making them harder to flag without behavioral context.
This campaign maps to several MITRE ATT&CK techniques:
| Type | Indicator | Context |
|---|---|---|
| Sender Email | stan@berteloot[.]org | Impersonated vendor contact |
| Reply-To Email | mail@ilyff[.]com | Attacker-controlled reply capture |
| Payment Redirect | invoice@billingsdepts[.]info | Attacker payment destination |
| Sending IP | 159[.]183[.]224[.]102 | SendGrid delivery infrastructure |
| Subject Line | "Past due invoice." | BEC pretext |
| Classification Tag | "BEC Payment Details" | Attacker-applied message tag |
Three mailboxes received this message. All three were quarantined by Themis, the IRONSCALES Adaptive AI, before any user replied. The detection was not based on authentication results (which all passed) or URL reputation (there were no URLs). It was based on behavioral pattern analysis: the mismatch between the display name and the envelope sender, the recently registered Reply-To domain, and the communication pattern deviation from the legitimate vendor's baseline.
This is the gap that BEC exploits. Authentication tells you whether an email is technically authorized. It tells you nothing about whether the person behind it is who they claim to be. The IBM Cost of a Data Breach 2024 report found that BEC-initiated breaches cost an average of $4.88 million, with the longest mean time to identify of any attack vector at 261 days.
CISA's email authentication guidance recommends DMARC at p=reject for all organizations, but even perfect authentication cannot stop an attacker who controls a legitimately authenticated sending platform. Security teams need behavioral detection that evaluates who is sending, why, and whether the communication pattern matches historical norms. Without that layer, the next "past due invoice" might cost more than the original bill.